Security Analysis of DNS Applications Email EE 122 Intro to Communication Networks Fall 2007 WF 4 5 30 in Cory 277 Vern Paxson TAs Lisa Fowler Daniel Killebrew Jorge Ortiz http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley 1 Announcements Next Wednesday s lecture will be given by Lisa I won t have my usual 3 4PM office hours next Wednesday but will be available at the usual 34PM slot on Friday as well as by appointment via email as always Reminder first phase of Project 1 due next Wednesday by 11PM The writeup has been updated for clarity see mailing list archives for diffs Thanksgiving week I ll give the same lecture twice Mon 4 5 30PM room TBD and Weds usual 2 1 Goals of Today s Lecture Finish discussion of the workings of DNS DNS security analysis Applications in general and Email in particular 3 unix dig norecurse a root servers net in addr arpa ns DiG 9 3 4 norecurse a root servers net in addr arpa ns 1 server found global options printcmd Got answer HEADER opcode QUERY status NOERROR id 62001 flags qr aa QUERY 1 ANSWER 12 AUTHORITY 0 ADDITIONAL 12 QUESTION SECTION in addr arpa ANSWER SECTION in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 IN NS IN IN IN IN IN IN IN IN IN IN IN IN NS NS NS NS NS NS NS NS NS NS NS NS G ROOT SERVERS NET H ROOT SERVERS NET I ROOT SERVERS NET K ROOT SERVERS NET L ROOT SERVERS NET M ROOT SERVERS NET A ROOT SERVERS NET B ROOT SERVERS NET C ROOT SERVERS NET D ROOT SERVERS NET E ROOT SERVERS NET F ROOT SERVERS NET 4 2 unix dig norecurse a root servers net x 64 236 24 12 QUESTION SECTION 12 24 236 64 in addr arpa IN PTR AUTHORITY SECTION 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa IN IN IN IN IN IN IN NS NS NS NS NS NS NS 86400 86400 86400 86400 86400 86400 86400 dill ARIN NET BASIL ARIN NET henna ARIN NET indigo ARIN NET epazote ARIN NET figwort ARIN NET chia ARIN NET no ADDITIONAL section Query time 93 msec SERVER 198 41 0 4 53 198 41 0 4 WHEN Thu Sep 20 23 50 49 2007 MSG SIZE rcvd 194 5 unix dig norecurse dill arin net x 64 236 24 12 QUESTION SECTION 12 24 236 64 in addr arpa IN PTR AUTHORITY SECTION 236 64 in addr arpa 236 64 in addr arpa IN IN NS NS 86400 86400 dns 02 atdn net dns 01 atdn net unix dig norecurse dns 02 atdn net x 64 236 24 12 QUESTION SECTION 12 24 236 64 in addr arpa IN PTR ANSWER SECTION 12 24 236 64 in addr arpa 3600 IN PTR www3 cnn com AUTHORITY SECTION 24 236 64 in addr arpa 3600 24 236 64 in addr arpa 3600 IN IN NS NS dns 02 atdn net dns 01 atdn net ADDITIONAL SECTION dns 01 atdn net dns 02 atdn net IN IN A A 64 12 51 136 205 188 157 2366 3600 3600 3 Inserting Resource Records into DNS Example just created startup FooBar Get a block of address space from ISP Say 212 44 9 128 25 Register foobar com at Network Solutions say Provide registrar with names and IP addresses of your authoritative name server primary and secondary Registrar inserts RR pairs into the com TLD server o foobar com dns1 foobar com NS o dns1 foobar com 212 44 9 129 A Put in your authoritative server dns1 foobar com Type A record for www foobar com Type MX record for foobar com 7 Setting up foobar com con t In addition need to provide reverse PTR bindings E g 212 44 9 129 dns1 foobar com Normally these would go in 9 44 212 in addr arpa Problem you can t run the name server for that domain Why not Because your block is 212 44 9 128 25 not 212 44 9 0 24 And whoever has 212 44 9 0 25 won t be happy with you owning their PTR records Solution ISP runs it for you Now it s more of a headache to keep it up to date 8 4 Security Analysis of DNS What security issues does the design operation of the Domain Name System raise Degrees of freedom 16 bits 16 bits Identification Flags Questions Answer RRs Authority RRs Additional RRs Questions type class domain name Answers variable of resource records Authority variable of resource records Additional information variable of resource records 9 Security Problem 1 Starbucks As you sip your latte and surf the Web how does your laptop find google com Answer it asks the local name server per Dynamic Host Configuration Protocol DHCP which is run by Starbucks or their contractor and can return to you any answer they please including a man in the middle site that forwards your query to Google gets the reply to forward back to you yet can change anything they wish in either direction How can you know you re getting correct data Today you can t Though if site is HTTPS that helps One day hopefully DNSSEC extensions to DNS 10 5 Security Problem 2 Cache Poisoning Suppose you are a Bad Guy and you control the name server for foobar com You receive a request to resolve www foobar com and reply QUESTION SECTION www foobar com IN A Evidence of the attack disappears 5 seconds later ANSWER SECTION www foobar com 300 IN A 212 44 9 144 AUTHORITY SECTION foobar com foobar com 600 600 IN IN NS NS dns1 foobar com google com 5 IN A 212 44 9 155 ADDITIONAL SECTION google com A foobar com machine not google com 11 Cache Poisoning con t Okay but how do you get the victim to look up www foobar com in the first place Perhaps you connect to their mail server and send HELO www foobar com Which their mail server then looks up to see if it corresponds to your source address anti spam measure Note with compromised name server we can also lie about PTR records address name mapping E g for 212 44 9 155 155 44 9 212 in addr arpa return google com or whitehouse gov or whatever o If our ISP lets us manage those records as we see fit or we happen to directly manage them 12 6 Cache Poisoning con t Suppose Bad Guy is at Starbuck s and they can sniff or even guess the identification field the local server will use in 16 bits …
View Full Document
Unlocking...